B File Store References
system-jazn-data.xml
and jazn-data.xml
files that specify file identity stores. File identity stores are supported in Java SE applications only.This appendix includes the following topics:
- File Store Hierarchy
- File Store Elements and Attributes
- <actions>
- <actions-delimiter>
- <app-role>
- <app-roles>
- <application>
- <applications>
- <attribute>
- <class>
- <codesource>
- <credentials>
- <description>
- <display-name>
- <extended-attributes>
- <grant>
- <grantee>
- <guid>
- <jazn-data>
- <jazn-policy>
- <jazn-realm>
- <matcher-class>
- <member>
- <member-resource>
- <member-resources>
- <members>
- <name>
- <owner>
- <owners>
- <permission>
- <permissions>
- <permission-set>
- <permission-sets>
- <policy-store>
- <principal>
- <principals>
- <provider-name>
- <realm>
- <resource>
- <resources>
- <resource-name>
- <resource-type>
- <resource-types>
- <role>
- <role-categories>
- <role-category>
- <role-name-ref>
- <roles>
- <type>
- <type-name-ref>
- <uniquename>
- <url>
- <user>
- <users>
- <value>
- <values>
File Store Hierarchy
This section describes the element hierarchy of the system-jazn-data.xml
and jazn-data.xml
files. The <jazn-data>
element is the root element. The elements directly under this root element are:
-
<jazn-realm>
-
<policy-store>
-
<jazn-policy>
The <jazn-principal-classes>
and <jazn-permission-classes>
elements and their subelements may appear in the system-jazn-data.xml
file as subelements of the <policy-store>
element, but they are for backward compatibility only.
Table B-1 Hierarchy of Elements in system-jazn-data.xml and jazn-data.xml
Element | Description |
---|---|
<jazn-data> |
The top-level element in the |
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1} |
Specifies security realms, and the users and enterprise groups included in each realm. |
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} | <app-role> {1 or more} | <name> {1} | <class> {1} | <display-name> {0 or 1} | <description> {0 or 1} | <guid> {0 or 1} | <uniquename> {0 or 1} | <extended-attributes> {0 or 1} | | <attribute> {1 or more} | | <name> {1} | | <values> {1} | | <value> {1 or more} | <members> {0 or 1} | <member> {1 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} <role-categories> {0 or 1} | <role-category> {1 or more} | <name> {1} | <display-name> {0 or 1} | <description> {0 or 1} | <members> {0 or 1} | <role-name-ref> {1} <resource-types> {0 or 1} | <resource-type> {1 or more} | <name> {1} | <display-name> {1} | <description> {0 or 1} | <provider-name> {1} | <matcher-class> {1} | <actions-delimiter> {1} | <actions> {0 or more} <resources> {0 or 1} | <resource> {1 or more} | <name> {1} | <display-name> {1} | <description> {0 or 1} | <type-name-ref> {1} <permission-sets> {0 or 1} | <permission-set> {1 or more} | <name> {1} | <member-resources> {1 or more} | <member-resource> {1 or more} | <resource-name> {1} | <type-name-ref> {1} | <actions> {0 or 1} <jazn-policy> {0 or 1} | <grant> {0 or more} | <description> {0 or 1} | <grantee> {0 or 1} | | <principals> {0 or 1} | | <principal> {0 or more} | | <name> {1} | | <class> {1} | | <uniquename> {0 or 1} | | <guid> {0 or 1} | | <codesource> {0 or 1} | | <url> {1} | <permissions> {0 or 1} | <permission> {1 or more} | <class> {1} | <name> {0 or 1} | <actions> {0 or 1} |
Configures application-level policies. Define roles at the application level, and then define members in the roles. Members of a role are users and other roles. When
|
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} | <principals> {0 or 1} | <principal> {0 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} | <codesource> {0 or 1} | <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1} <permission-sets> | <permission-set> | <name> |
When the
|
Parent topic: File Store References
File Store Elements and Attributes
The following sections describe the elements and attributes used in the system-jazn-data.xml
and jazn-data.xml
files:
Parent topic: File Store References
<actions>
This element specifies the operations permitted by the associated permission class. Values are case-sensitive and are specific to each permission implementation.
Parent Element
Child Elements
None
Occurrence
Optional, zero or one:
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Examples
See <jazn-policy>
for examples.
Parent topic: File Store References
<actions-delimiter>
This element specifies the character used to separate the actions of the associated resource type.
Parent Element
Child Elements
<name>
, <display-name>
, <description>
, <actions>
<roles>
, <users>
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
Example
For an example, see <resource-type>.
Parent topic: File Store References
<app-role>
This element specifies an application role.
Required subelements specify the following:
-
<name>
specifies the name of the application role. -
<class>
specifies the fully qualified name of the class implementing the application role.
Optional subelements can specify the following:
-
<description>
provides more information about the application role. -
<display-name>
specifies a display name for the application role, such as for use by GUI interfaces. -
<guid>
specifies a globally unique identifier to reference the application role. This is for internal use only. -
<members>
specifies the users, roles, or other application roles that are members of this application role. -
<uniquename>
specifies a unique name to reference the application role. This is for internal use only.
Parent Element
Child Elements
<class>
, <description>
, <display-name>
, <guid>
, <members>
, <name>
, <uniquename>
Occurrence
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Examples
See <policy-store>
for examples.
Parent topic: File Store References
<app-roles>
This element specifies a set of application roles.
Parent Element
Child Elements
Occurrence
Optional, zero or one:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
Example
See <policy-store>
for examples.
Parent topic: File Store References
<application>
This element specifies roles and policies for an application.
Required subelements specify the following information for an application:
-
<name>
specifies the name of the application.
Optional subelements can specify the following:
-
<description>
provides information about the application and its roles and policies. -
<app-roles>
specifies any application-level roles -
<jazn-policy>
specifies any application-level policies.
Parent Element
Child Elements
<app-roles>
, <description>
,, <jazn-policy>
, <name>
, <permission-sets>
, <resource-types>
, <resources>
, <role-categories>
Occurrence
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
Example
See <policy-store>
for examples.
Parent topic: File Store References
<applications>
This element specifies a set of applications.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
Example
See <policy-store>
for an example.
Parent topic: File Store References
<attribute>
This element specifies an attribute of an application role.
Parent Element
Occurrence
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <guid> {0 or 1}
Parent topic: File Store References
<class>
This element specifies several values depending on its location in the configuration file:
-
Within the
<app-role>
element,<class>
specifies the fully qualified name of the class implementing the application role.<app-role> ... <class>oracle.security.jps.service.policystore.ApplicationRole</class>
-
Within the
<member>
element,<class>
specifies the fully qualified name of the class implementing the role member.<app-role> ... <members> <member> ... <class> weblogic.security.principal.WLSUserImpl </class>
-
Within the
<permission>
element (for granting permissions to a principal),<class>
specifies the fully qualified name of the class implementing the permission. Values are case-insensitive.<jazn-policy> <grant> ... <permissions> <permission> <class>java.io.FilePermission</class>
-
Within the
<principal>
element (for granting permissions to a principal), it specifies the fully qualified name of the principal class, which is the class instantiated to represent a principal granted a set of permissions.<jazn-policy> <grant> ... <grantee> <principals> <principal> ... <class>oracle.security.jps.service.policystore.TestUser</class>
Parent Element
Child Elements
None
Occurrence
Required, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} ... <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
and <policy-store>
for examples.
Parent topic: File Store References
<codesource>
This element specifies the URL of the code to which permissions are granted.
The policy configuration can also include a <principals>
element, in addition to the <codesource>
element. Both elements are children of a <grantee>
element and they specify who or what the permissions in question are being granted to.
For variables that can be used in the specification of a <codesource>
URL, see <url>.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<credentials>
This element specifies the authentication password for a user. The credentials are, by default, in obfuscated form.
Parent Element
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1}
Example
See <jazn-realm>
for examples.
Parent topic: File Store References
<description>
This element specifies a text string that provides textual information about an item.
Parent Element
<app-role>
, <application>
, <grant>
, <role>
, or <user>
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} ... <description> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} ... <description> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ... <description> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1}
Example
The fmwadmin
user might have the following description:
<description>User with administrative privileges</description>
See <jazn-realm>
for additional examples.
Parent topic: File Store References
<display-name>
This element specifies the name of an item. Depending on the parent element, an item can be an application role, user, or enterprise group.
Parent Element
<app-role>
, <role>
, or <user>
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1}
Example
The fmwadmin
user might have the following display name:
<display-name>Administrator</display-name>
See <jazn-realm>
for additional examples.
Parent topic: File Store References
<extended-attributes>
This element specifies attributes of an application role.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship For the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
Parent topic: File Store References
<grant>
This element specifies the recipient of the grant - a codesource, or a set of principals, or both- and the permissions assigned to it.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<grantee>
This element, in conjunction with a parallel <permissions>
element, specifies who or what the permissions are granted to: a set of principals, a codesource, or both.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<guid>
This element is for internal use only. It specifies a globally unique identifier (GUID) to reference the item.
Depending on the parent element, the item referenced may be an application role, application role member, principal, enterprise group, or user, and it uniquely identifies the item. GUIDs are sometimes generated and used internally by OPSS.
Parent Element
<app-role>
, <member>
, <principal>
, <role>
, or <user>
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} ...
Example
See <jazn-realm>
for examples.
Parent topic: File Store References
<jazn-data>
This element specifies the top-level element in the system-jazn-data.xml
file.
Attributes
Name | Description |
---|---|
|
Specifies the major version number of the |
|
Specifies the minor version number of the |
Parent Element
n/a
Child Elements
Occurrence
Required, one only
<jazn-data ... > {1} <jazn-realm> {0 or 1} ...
<policy-store> {0 or 1} ...
<jazn-policy> {0 or 1} ...
Example
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation= "http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd"> ... </jazn-data
Parent topic: File Store References
<jazn-policy>
This element specifies policy grants that associate grantees (principals or code sources) with permissions.
This element can appear in two different locations in the system-jazn-data.xml
file:
-
Under the
<jazn-data>
element, it specifies global policies. -
Under the
<application>
element, it specifies application-level policies.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-data> {1} <jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Examples of jazn-policy
This is the first example of jazn-policy:
<jazn-policy> <grant> <grantee> <principals> <principal> <class> oracle.security.jps.service.policystore.TestUser </class> <name>jack</name> </principal> <principal> <class> oracle.security.jps.service.policystore.TestUser </class> <name>jill</name> </principal> </principals> <codesource> <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url> </codesource> </grantee> <permissions> <permission> <class>oracle.security.jps.JpsPermission</class> <name>getContext</name> </permission> <permission> <class>java.io.FilePermission</class> <name>/foo</name> <actions>read,write</actions> </permission> </permissions> </grant> </jazn-policy>
This is the second example of jazn-policy:
<jazn-policy> <grant> <grantee> <principals> <principal> <class> oracle.security.jps.service.policystore.TestAdminRole </class> <name>Farm=farm1,name=FullAdministrator</name> </principal> </principals> <codesource> <url>file://some-path</url> </codesource> </grantee> <permissions> permission> <class>javax.management.MBeanPermission</class> <name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name> <actions>invoke</actions> </permission> </permissions> </grant> </jazn-policy>
Parent topic: File Store References
<jazn-realm>
This element specifies security realms and the users in each of them. It is the top-level element for user and role information.
Attribute
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-data> {1} <jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
Example
<jazn-data ... > ... <jazn-realm default="jazn.com"> <realm> <name>jazn.com</name> <users> <user deactivated="true"> <name>anonymous</name> <guid>61FD29C0D47E11DABF9BA765378CF9F3</guid> <description>The default guest/anonymous user</description> </user> <user> <name>developer1</name> <credentials>!password</credentials> </user> <user> <name>developer2</name> <credentials>!password</credentials> </user> <user> <name>manager1</name> <credentials>!password</credentials> </user> <user> <name>manager2</name> <credentials>!password</credentials> </user> <!-- these are for testing the admin role hierachy. --> <user> <name>farm-admin</name> <credentials>!password</credentials> </user> <user> <name>farm-monitor</name> <credentials>!password</credentials> </user> <user> <name>farm-operator</name> <credentials>!password</credentials> </user> <user> <name>farm-auditor</name> <credentials>!password</credentials> </user> <user> <name>farm-auditviewer</name> <credentials>!password</credentials> </user> </users> <roles> <role> <name>users</name> <guid>31FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>users</display-name> <description>users role for rmi/ejb access</description> </role> <role> <name>ascontrol_appadmin</name> <guid>51FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>ASControl App Admin Role</display-name> <description> Application Administrative role for ASControl </description> </role> <role> <name>ascontrol_monitor</name> <guid>61FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>ASControl Monitor Role</display-name> <description>Monitor role for ASControl</description> </role> <role> <name>developers</name> <members> <member> <type>user</type> <name>developer1</name> </member> <member> <type>user</type> <name>developer2</name> </member> </members> </role> <role> <name>managers</name> <members> <member> <type>user</type> <name>manager1</name> </member> <member> <type>user</type> <name>manager2</name> </member> </members> </role> </roles> </realm> </jazn-realm> ... </jazn-data>
Parent topic: File Store References
<matcher-class>
This element specifies the fully qualified name of the class for a resource type. Queries for resources of this type delegate to this class. Values are case-sensitive.
Parent Element
Child Elements
None
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {1 or more}
Example
For an example, see <resource-type>.
Parent topic: File Store References
<member>
This element specifies the members of a set, such as a <role>
or an<app-role>
element:
-
When under a
<role>
element, it specifies a member of the enterprise group. A member can be a user or another enterprise group. The<name>
subelement specifies the name of the member, and the<type>
subelement specifies whether the member type (a user or an enterprise group). -
When under an
<app-role>
element, it specifies a member of the application role. A member can be a user, an enterprise group, or an application role. The<name>
subelement specifies the name of the member, and the<class>
subelement specifies the class that implements it. The member type is determined with the<class>
element.
Parent Element
Child Elements
-
When under a
<role>
element, the<member>
element has the following child elements:<name>
,<type>
-
When under an
<app-role>
element, the<member>
element has the following child elements:<name>
,<class>
,<uniquename>
,<guid>
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
See <jazn-realm>
and <policy-store>
for examples.
Parent topic: File Store References
<member-resource>
This element specifies resources for a permission set.
Parent Element
Child Elements
Occurrence
Required within <member-resources>, one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
Example
For an example, see <permission-set>.
Parent topic: File Store References
<member-resources>
This element specifies a set of member resources.
Parent Element
Child Elements
Occurrence
Required within <permission-sets>; one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
Example
For an example, see <permission-set>.
Parent topic: File Store References
<members>
This element specifies a set of members.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
See <jazn-realm>
and <policy-store>
for examples.
Parent topic: File Store References
<name>
This element has different uses, depending on its location in the file:
-
Within the
<app-role>
element, it specifies the name of an application-level role in the policy configuration. For example:<name>Farm=farm1,name=FullAdministrator</name>
Or a simpler example:
<name>Myrolename</name>
-
Within the
<application>
element, it specifies the policy context identifier. -
Within the
<attribute>
element, it specifies the name of an additional attribute for the application-level role. -
Within the
<member>
element, it specifies the name of a member of an enterprise group or application role (depending on where the<member>
element is located). For example, if thefmwadmin
user is a member of the role:<name>fmwadmin</name>
-
Within the
<owner>
element, it specifies the name of an owner of an enterprise group. For example:<name>mygroupowner</name>
-
Within the
<permission>
element, as applicable, it specifies the name of a permission meaningful to the permission class. Values are case-sensitive. For example:<name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name>
Or:
<name>getContext</name>
-
Within the
<principal>
element (for granting permissions to a principal), it specifies the name of a principal within the given realm. For example:<name>Administrators</name>
-
Within the
<realm>
element, it specifies the name of a realm. For example:<name>jazn.com</name>
-
Within the
<role>
element, it specifies the name of an enterprise group in a realm. For example:<name>Administrators</name>
-
Within the
<user>
element, it specifies the name of a user in a realm. For example:<name>fmwadmin</name>
-
Within the
<resource-type>
element, it specifies the name of a resource type and is required. For example:<name>restype1</name>
Parent Element
<app-role>
, <application>
, <attribute>
, <member>
, <owner>
, <permission>
, <principal>
, <realm>
, <role>
, or <user>
Child Elements
None
Occurrence
Required within any parent element other than <permission>
, one only. Optional within <permission>
, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
<application> <name>peanuts</name> <app-roles> <app-role> <name>snoopy</name> <display-name>application role snoopy</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <members> <member> .......
See <jazn-policy>
, <jazn-realm>
, and <policy-store>
for examples.
Parent topic: File Store References
<owner>
This element specifies the owner of the enterprise group, where an owner has administrative authority over the role.
An owner is a user or another enterprise group. The <type>
subelement specifies the owner's type. The concept of role (group) owners specifically relates to BPEL or Oracle Internet Directory functionality. For example, in BPEL, a role owner has the capability to create and update workflow rules for the role.
Parent Element
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Parent topic: File Store References
<owners>
This element specifies a set of owners.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Parent topic: File Store References
<permission>
This element specifies the permission to grant to grantees, where a grantee is a set of principals, a codesource, or both, as part of a policy configuration.
Parent Element
Occurrence
Required within parent element, one or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<permissions>
This element specifies a set of permissions.
The <permissions>
element (used in conjunction with a parallel <grantee>
element) specifies the permissions being granted, with a set of <permission>
subelements.
The system-jazn-data.xml
schema definition does not specify this as a required element, but OPSS runtime requires its use within any <grant>
element.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<permission-set>
A permission set (or entitlement) specifies a set of permissions.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
Example
The following example illustrates the configuration of a permission set:
<permission-sets> <permission-set> <name>permsetName</name> <member-resources> <member-resource> <type-name-ref>TaskFlowResourceType</type-name-ref> <resource-name>resource1</resource-name> <actions>customize,view</actions> </member-resource> </member-resources> </permission-set> </permission-sets>
Note the following points about permission sets:
-
The actions specified in a <member-resource> must match one or more of the actions specified for the resource type referenced in <resource-name-ref>.
-
A <member-resources> can have multiple <member-resource> elements in it.
-
Permission sets must have at least one resource.
-
Permission sets can exist without being used in principals.
In addition, in a permission, the name, description, and display name are case-sensitive.
Parent topic: File Store References
<permission-sets>
This element specifies a collection of permission sets.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
Example
For an example, see <permission-set>.
Parent topic: File Store References
<policy-store>
This element configures application policies. Under <applications>
there is an <application>
for each application. The policies are specified in a <jazn-policy>
of each <application>
.
The <jazn-principal-classes>
and <jazn-permission-classes>
elements and their subelements may appear in the system-jazn-data.xml
schema definition as subelements of <policy-store>
, but are for backward compatibility only.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-data> {1} <policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
Example
<jazn-data ... > ... <policy-store> <!-- application policy --> <applications> <application> <name>policyOnly</name> <jazn-policy> ... </jazn-policy> </application> <application> <name>roleOnly</name> <app-roles> <app-role> <name>Fellowship</name> <display-name>Fellowship of the Ring</display-name> <class> oracle.security.jps.service.policystore.ApplicationRole </class> </app-role> <app-role> <name>King</name> <display-name>Return of the King</display-name> <class> oracle.security.jps.service.policystore.ApplicationRole </class> </app-role> </app-roles> </application> <application> <app-roles> <app-role> <name>Farm=farm1,name=FullAdministrator</name> <display-name>farm1.FullAdministrator</display-name> <guid>61FD29C0D47E11DABF9BA765378CF9F2</guid> <class> oracle.security.jps.service.policystore.ApplicationRole </class> <members> <member> <class> oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl </class> <name>admin</name> </member> </members> </app-role> </app-roles> <jazn-policy> ... </jazn-policy> </application> ... </applications> </policy-store .... </jazn-data
See <jazn-policy>
for examples of that element.
Parent topic: File Store References
<principal>
This element specifies a principal being granted the permissions specified in a <permissions> element as part of a policy configuration. Required under <principals>.
Subelements specify the name of the principal and the class that implements it, and optionally specify a unique name and unique global identifier (the latter two for internal use only).
Parent Element
Child Elements
Occurrence
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<principals>
This element specifies a set of principals.
For policy configuration, a <principals>
element and/or a <codesource>
element are used under a <grantee>
element to specify who or what the permissions in question are being granted to. A <principals>
element specifies a set of principals being granted the permissions.
For a subject to get these permissions, the subject should include all the principals.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy>
for examples.
Parent topic: File Store References
<provider-name>
This element specifies the name of a resource type provider. The resource resides in a location external to the domain security tore. Values are case-insensitive.
Parent Element
Child Elements
None
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
Example
For an example, see <resource-type>.
Parent topic: File Store References
<realm>
This element specifies a security realm and the users and roles in it.
Parent Element
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
Example
See <jazn-realm>
for an example.
Parent topic: File Store References
<resource>
This element specifies an application resource and contains information about the resource.
Parent Element
Child Elements
Occurrence
One of more required under <resources>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
Example
The following example illustrates the configuration of a resource (instance):
<resources> <resource> <name>resource1</name> <display-name>Resource1DisplayName</display-name> <description>Resource1 Description</description> <type-name-ref>TaskFlowResourceType</type-name-ref> </resource> </resources>
Note that the name, description, and display names are case-sensitive.
Parent topic: File Store References
<resources>
This element specifies a collection of application resources.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
Example
For an example, see <resource>.
Parent topic: File Store References
<resource-name>
This element specifies a member resource in a permission set. Values are case-sensitive.
Parent Element
Child Elements
None
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
Example
For an example, see <permission-set>.
Parent topic: File Store References
<resource-type>
This element specifies the type of a secured artifact, such as a flow, a job, or a web service. Values are case-insensitive.
Parent Element
Child Elements
<name>
, <display-name>
, <description>
, <actions>
, <actions-delimiter>
, <matcher-class>
, <provider-name>
.
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
Example
The following example illustrates the configuration of a resource type:
<resource-types> <resource-type> <name>TaskFlowResourceType</name> <display-name>TaskFlowResourceType_disp</display-name> <description>Resource Type for Task Flow</description> <provider-name>resTypeProv</provider-name> <matcher-class> oracle.adf.controller.security.TaskFlowPermission</matcher-class> <actions-delimiter>,</actions-delimiter> <actions>customize,view</actions> </resource-type> </resource-types>
The following points apply to the specification of a resource type:
-
The name is required and case-insensitive.
-
The provider name is optional and case-insensitive. A provider is used when there are resources managed in a store other than the security store.
When specified, the class in a <provider-name> element is used as a resource finder. Queries for resources of this type (with the
ResourceManager
method) delegate to this class instead of using the built-in resource finder. -
The class specification is required and case-sensitive.
-
The description and display specifications are optional and case-insensitive.
-
The action specification is optional and case-sensitive. The list of actions in a resource type can be empty. An empty action list indicates that the actions on instances of the resource type are determined externally.
Parent topic: File Store References
<resource-types>
This element specifies a set of resource types.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
Example
For an example, see <resource-type>.
Parent topic: File Store References
<role>
This element specifies an enterprise security role, as opposed to an application-level role, and the members (and optionally owners) of that role.
Parent Element
Child Elements
<description>
, <display-name>
, <guid>
, <members>
, <name>
, <owners>
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Example
See <jazn-realm>
for examples.
Parent topic: File Store References
<role-categories>
This element specifies the parent element of <role-category> elements.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> {0 or 1 <role-category> {1 or more} <name> {1} <description> {0 or 1} <display-name> {0 or 1}
Example
See Using checkPermission for an example.
Parent topic: File Store References
<role-category>
This element specifies a flat set of application roles.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> {0 or 1} <role-category> {1 or more} <name> {1} <description>{0 or 1} <display-name>{0 or 1} <members> {0 or 1}
Example
See Using checkPermission for an example.
Parent topic: File Store References
<role-name-ref>
This element specifies an application role within a role category.
Parent Element
Child Elements
None
Occurrence
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> {0 or 1} <role-category> {1 or more} <name> {1} <description> {0 or 1} <members> {0 or 1} <role-name-ref> {1}
Parent topic: File Store References
<roles>
This element specifies a set of enterprise roles that belong to the security realm.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Example
See <jazn-realm>
for an example.
Parent topic: File Store References
<type>
This element specifies the type of an enterprise group member or role owner: specifically, whether the member or owner is a user or another role:
<type>user</type>
Or:
<type>role</type>
Child Elements
None
Occurrence
Required, one only
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Example
See <jazn-realm>
for examples.
Parent topic: File Store References
<type-name-ref>
This element specifies the resource type of a resource.
Parent Element
Child Elements
None
Occurrence
One only. Required within <resource> or <member-resource>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
Example
For an example, see <resource>.
Parent topic: File Store References
<uniquename>
This element, for internal use, takes a string value to specify a unique name to reference the item. (The JpsPrincipal
class can use a GUID and unique name, both computed by the underlying policy provisioning APIs, to uniquely identify a principal.) Depending on the parent element, the item could be an application role, application role member (not an enterprise group member), or principal. It uniquely identifies the item. A unique name is sometimes generated and used internally by Oracle Platform Security.
The unique name for an application role would be: "appid=application_name, name=actual_rolename
“. For example:
<principal> <class> oracle.security.jps.service.policystore.adminroles.AdminRolePrincipal </class> <uniquename> APPID=App1,name="FARM=D.1.2.3,APPLICATION=PolicyServlet,TYPE=OPERATOR" </uniquename> </principal>
Parent Element
Child Elements
None
Occurrence
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Parent topic: File Store References
<url>
This element specifies the URL of the code granted permissions.
Note the following points:
-
URL values cannot be restricted to a single class.
-
URL values with ".jar" suffix match the JAR files in the specified directory.
-
URL values with "/" suffix match all class files (not JAR files) in the specified directory.
-
URL values with "/*" suffix match all files (both class and JAR files) in the specified directory.
-
URL values with "/-" suffix match all files (both class and JAR files) in the specified directory and, recursively, all files in subdirectories.
-
The system variables
oracle.deployed.app.dir
andoracle.deployed.app.ext
can be used to specify a URL independent of the platform.
Parent Element
Child Elements
None
Occurrence
Required within parent element, one only
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
The following example illustrates the use of the system variables oracle.deployed.app.dir
and oracle.deployed.app.ext
to specify URLs independent of the server platform.
Suppose an application grant requires a codesource URL that differs with the server platform:
<grant> <grantee> <codesource> <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/myApp/-</url> </codesource> </grantee> <permissions> ... </permissions> </grant>
Then, using the following system variable settings:
-Doracle.deployed.app.dir=${DOMAIN_HOME}/servers/${SERVER_NAME}/tmp/_WL_user -Doracle.deployed.app.ext=/-
the following specification is possible:
<grant> <grantee> <codesource> <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url> </codesource> </grantee> <permissions> ... </permissions> </grant>
Parent topic: File Store References
<user>
This element specifies a user within a realm.
Attributes
Name | Description |
---|---|
|
Specifies whether the user is valid or not. Set to Values: Default: |
Parent Element
Child Elements
<name>
, <display-name>
, <description>
, <guid>
, <credentials>
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
Example
See <jazn-realm>
for examples.
Parent topic: File Store References
<users>
This element specifies the set of users belonging to a realm.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
Example
See <jazn-realm>
for an example.
Parent topic: File Store References
<value>
This element specifies a value for an attribute. Specify additional attributes for application-level roles with the <extended-attributes>
element.
Parent Element
Child Elements
None
Occurrence
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship of the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
Parent topic: File Store References
<values>
This element specifies a set of values, each of which specify the value of an attribute. An attribute can have more than one value.
Parent Element
Child Elements
Occurrence
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship of the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
Parent topic: File Store References